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Executive  Summary 


Any  information  security  initiative  within  an  organization  typically  involves  a  set  of  tools  to  help 
the  initiative  succeed.  These  initiatives  may  be  faced  with  tight  budgets  limiting  funds  that  can  be 
spent  on  hardware  and  software.  Insider  threat  programs  (InTP)  are  no  different.  These  programs 
need  to  have  tools  that  can  be  used  to  help  combat  the  threat.  Insider  threat  programs  should  con¬ 
sider  five  different  classes  of  tools  to  help  prevent,  detect,  and  respond  to  malicious  insiders.  The 
minimum  classes  of  tools  that  are  needed  for  an  effective  program  include  the  following: 

1 .  user  activity  monitoring  (UAM) 

2.  data  loss  prevention  (DLP) 

3.  security  information  and  event  management  (SIEM) 

4.  analytics 

5.  digital  forensics 

Commercial  tools  are  available  in  all  of  these  categories.  However,  they  are  typically  geared  to¬ 
ward  large  enterprises,  with  purchase  prices  and  implementation  costs  that  are  out  of  reach  for 
many  smaller  organizations.  This  creates  a  barrier  and  a  deterrent  for  many  organizations  that 
need  to  implement  an  InTP. 

Before  considering  a  tool  for  use  in  an  insider  threat  program,  it  is  important  to  consider  the  fol¬ 
lowing  issues: 

•  Implementation  costs:  While  tools  may  be  low  cost  or  free,  there  may  be  other  costs  associ¬ 
ated  with  them,  such  as  hardware,  skills  of  the  supporting  staff,  and  ongoing  support. 

•  Testing:  All  tools  should  be  tested  before  being  deployed  in  a  production  environment.  The 
tools  need  to  be  tested  to  ensure  that  they  do  what  they  say  they  are  doing  and  do  not  com¬ 
promise  the  confidentiality,  integrity,  or  availability  of  the  system  or  data  on  which  the  tool 
is  deployed. 

•  Risk  analysis  and  cost  benefit:  Low  cost  tools  are  often  provided  with  little  to  no  support. 
Additionally,  there  is  no  guarantee  that  the  tool  will  be  suitable  for  a  particular  purpose.  The 
tool’s  developers  may  abandon  a  project  at  any  time,  leaving  the  users  with  little  recourse. 

•  Legal  issues:  Legal  counsel  must  be  consulted  before  deploying  technologies  that  could  af¬ 
fect  the  privacy  and  legal  rights  of  an  employee. 

•  Country  of  origin:  Organizations  should  carefully  consider  the  risks  of  deploying  software  in 
an  environment  that  may  have  strained  relations  with  the  organization’s  home  country.  This 
is  especially  true  of  United  States  government  organizations. 

This  technical  note  will  explore  tools  that  may  be  suitable  for  satisfying  the  basic  technical  needs 
of  an  insider  threat  program,  giving  organizations  a  place  to  start  for  preventing,  detecting,  and 
responding  to  malicious  insiders. 
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Abstract 


This  technical  note  explores  free  and  low  cost  technical  solutions  to  help  organizations  prevent, 
detect,  and  respond  to  malicious  insiders.  The  tools  presented  address  the  needs  of  organizations 
to  have,  at  a  minimum,  user  activity  monitoring,  data  loss  prevention,  security  information  and 
event  management,  analytics,  and  a  digital  forensics  and  investigation  capability.  Implementing 
tools  in  all  of  these  categories  will  help  an  organization  have  a  successful  insider  threat  program. 
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1  Introduction 


Insider  threat  mitigation  efforts  involve  the  collection  and  analysis  of  a  broad  range  of  data.  An 
effective  insider  threat  program  (InTP)  should  have  five  different  classes  of  capabilities  available 
to  mitigate  the  risk  of  insider  threats.  These  capabilities  represent  the  technical  component  of  an 
InTP.  The  minimum  classes  of  tools  that  are  needed  for  an  effective  program  include  the  follow¬ 
ing: 


•  user  activity  monitoring  (UAM) 

•  data  loss  prevention  (DLP) 

•  security  information  and  event  management  (SIEM) 

•  analytics 

•  digital  forensics 

Commercial  tools  are  available  that  address  all  of  these  categories.  However,  they  are  typically 
geared  toward  large  enterprises,  with  purchase  prices  and  implementation  costs  that  are  out  of 
reach  for  many  smaller  organizations.  This  creates  a  barrier  and  a  deterrent  for  many  organiza¬ 
tions  that  need  to  implement  an  InTP. 

This  report  is  intended  for  organizations  that  already  have  an  established  network  security  posture 
and  would  like  to  increase  their  InTP  security  posture  with  minimal  software  investment.  It  ex¬ 
plores  low  cost  tools  available  to  organizations  to  help  them  jump  start  the  technical  aspect  of  the 
InTP.  These  tools  will  still  require  physical  hardware  and  expertise  to  install,  manage,  and  main¬ 
tain.  Some  of  them  may  come  with  little  to  no  technical  support.  Often  times  the  developers  of 
open  source  software  contribute  to  a  project  in  their  own  free  time  with  little  to  no  compensation. 
Some  products  do  offer  paid  support,  while  others  rely  on  a  community  of  members  to  provide 
support  to  the  project.  Documentation  may  also  be  limited  or  non-existent  in  some  cases.  It  is  im¬ 
portant  to  keep  these  factors  in  mind  when  considering  an  open  source  project.  Commercial  ven¬ 
dors  may  also  offer  free  or  lower  cost  versions  that  lack  certain  features,  only  support  a  small 
number  of  users,  or  have  other  limited  capacities. 

1.1  Getting  Your  Program  Started 

Many  organizations  have  already  invested  time  and  capital  developing  their  infrastructures.  Exist¬ 
ing  devices  and  applications  should  be  evaluated  to  determine  if  they  might  help  an  organization 
enhance  its  InTP.  For  example,  network  firewalls  often  have  additional  functionality  that  can  be 
activated  either  by  purchasing  the  feature  or  simply  enabling  an  existing  capability,  such  as  con¬ 
tent  filtering.  This  can  save  an  organization  money  and  time. 

Organizations  should  also  review  their  current  network  topology  to  determine  if  it  can  effectively 
support  an  insider  threat  program.  There  may  be  opportunities  to  reposition  devices  within  the  or¬ 
ganization  to  further  enhance  security  with  minimal  or  no  compromise  in  functionality.  Existing 
devices  may  support  multiple  network  segments  or  virtual  local  area  networks  (VLANs)  thereby 
allowing  the  organization  to  increase  the  security  of  InTP  assets  with  little  to  no  additional  costs. 
This  will  also  have  the  added  benefit  of  increasing  the  return  on  investment  of  a  particular  device. 
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1.2  Tool  Categories 

1 .2.1  User  Activity  Monitoring 

The  tool  category  of  user  activity  monitoring  is  very  broad  and  encompasses  a  variety  of  tools. 

The  National  Insider  Threat  Task  Force  states  that  user  activity  monitoring  is  “the  technical  capa¬ 
bility  to  observe  and  record  the  actions  and  activities  of  an  individual,  at  any  time,  on  any  device 
accessing  U.S.  Government  information  in  order  to  detect  insider  threats  and  to  support  authorized 
investigations”  [1],  This  particular  requirement  is  not  specific  to  U.S.  government  organizations. 

Organizations  must  understand  what  their  users  are  doing  at  any  given  time  on  organizationally- 
owned  assets.  This  will  not  only  help  the  organization  prevent  and  detect  malicious  insiders,  but  it 
will  also  play  a  key  role  when  an  organization  is  responding  to  and  investigating  an  incident. 

1.2.2  Data  Loss  Prevention 

Data  loss  prevention  (DLP)  tools  must  be  able  to  identify,  monitor,  and  protect  data  at  rest,  data  in 
motion,  and  data  in  use.  The  tools  need  to  employ  deep  content  analysis  and  must  be  configurable 
to  meet  an  organization’s  unique  business  objectives  and  information  security  needs  [2]. 

A  DLP  tool  allows  organizations  to  control  how  users  interact  with  data.  This  may  include  poli¬ 
cies  that  prohibit  users  from  copying  content  to  removable  media  or  emailing  it  out  of  the  organi¬ 
zation.  The  DLP  solution  should  also  be  capable  of  generating  audit  logs  to  help  support  incident 
investigation. 

1.2.3  Security  Information  and  Event  Management 

Security  information  and  event  management  systems  aggregate  logs  into  a  centralized  repository 
and  can  perform  automated  analysis  on  those  logs  to  discover  trends  and  detect  anomalies. 

According  to  the  Computer  Security  Handbook, 

A  security  incident  and  event  management  (SIEM)  system  provides  an  additional  method  for 
collection,  aggregation,  and  consolidation  of  logs  from  many  types  of  devices.  The  SIEM 
leverages  baselining  and  configurable  rules  to  correlate  the  logs  and  provide  real-time  inci¬ 
dent-based  alerting  [3]. 

SIEM  systems  can  help  detect  anomalies,  which  may  lead  to  discovering  potentially  malicious  in¬ 
siders.  The  system’s  baselining  and  correlation  perform  a  first  order  of  rudimentary  analysis  that 
presents  a  more  organized  view  of  the  raw  log  data.  SIEM  systems  also  aide  in  investigations  by 
providing  evidence  that  can  be  used  for  both  internal  incident  response  and  external  legal  actions. 
Logs  from  critical  devices,  especially  those  that  support  the  InTP,  should  be  sent  to  the  SIEM  for 
centralized  storage  and  analysis. 
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1.2.4  Analytics 


Analytics  tools  extend  the  query  and  alerting  functionality  of  the  SIEM.1  They  can  implement  ad¬ 
vanced  machine-learning  and  statistical  techniques  to  uncover  and  alert  on  anomalous  activity 
based  on  the  following: 

•  threshold/volume -based  anomalies 

•  user/role -based  activity  baselining 

•  previously  unidentified  patterns  and  trends 

They  can  also  provide  additional  advanced  visualization  capabilities  such  as  charts  and  graphs 
that  can  make  anomalies  more  visually  apparent. 

1.2.5  Digital  Forensics  and  Investigations 

“A  Road  Map  for  Digital  Forensic  Research”  defines  digital  forensic  science  as 

The  use  of  scientifically  derived  and  proven  methods  toward  the  preservation,  collection, 
validation,  identification,  analysis,  interpretation,  documentation,  and  presentation  of  digital 
evidence  derived  from  digital  sources  for  the  purpose  of  facilitating  or  furthering  the  recon¬ 
struction  of  events  found  to  be  criminal,  or  helping  to  anticipate  unauthorized  actions  shown 
to  be  disruptive  to  planned  operations  [4]. 

Organizations  should  have  digital  forensic  tools  to  support  investigations  and  allow  a  properly 
trained  individual  to  preserve,  collect,  and  analyze  digital  artifacts  on  a  system  or  device.  These 
tools  can  be  used  to  assist  in  the  investigation  of  malicious  insider  actions  and  provide  the  neces¬ 
sary  evidence  for  potential  legal  actions. 

1.3  Notes  on  Tools 

1.3.1  Implementation  Costs 

Organizations  may  benefit  from  using  low  cost  or  free  tools.  Flowever,  there  are  other  costs  asso¬ 
ciated  with  using  any  type  of  tool.  Some  low  cost  solutions  may  have  little  to  no  support  from  the 
developers,  requiring  individuals  to  support  the  tool  and  understand  how  to  use  and  troubleshoot 
it.  The  tools  may  require  the  purchase  of  additional  hardware  or  other  software  in  order  for  them 
to  work  effectively.  In  some  cases,  multiple  tools  may  be  needed  to  satisfy  a  particular  require¬ 
ment.  One  software  application  may  do  something  particularly  well,  but  another  might  be  needed 
to  fill  in  gaps. 

1.3.2  Testing 

Applications  discussed  in  this  paper  must  be  tested  in  a  non-production  environment  before  they 
are  deployed  to  a  production  system.  This  will  allow  the  organization  to  assess  the  application  and 
determine  if  it  fits  its  needs.  It  will  also  allow  the  individuals  charged  with  using  and  maintaining 


The  information  in  this  section  is  excerpted  from  the  CERT  course  Insider  Threat  Program  Manager  Certificate: 
Implementation  and  Operations,  Module  9:  Building  and  Managing  the  Insider  Threat  Hub,  2014-2016. 
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the  product  to  become  familiar  with  it,  making  the  initial  configuration  of  the  software  easier  and 
less  likely  to  cause  issues  in  the  production  environment  once  deployed. 

1 .3.3  Risk  Analysis  and  Cost-Benefit 

There  are  tradeoffs  to  using  low  cost  or  open  source  software  versus  commercial  software.  Com¬ 
mercial  software  is  typically  supported  by  the  company  that  developed  it.  It  has  likely  gone 
through  additional  testing  and  other  quality  assurance  procedures.  Open  source  software  may  not 
have  all  of  these  benefits.  Both  commercial  and  open  source  solutions  may  still  require  the  pur¬ 
chase  of  additional  hardware  and  software  to  make  the  product  work  correctly  and  efficiently.  It  is 
important  for  organizations  to  evaluate  their  risk  and  conduct  a  cost-benefit  analysis  before  imple¬ 
menting  any  commercial  or  open  source  solution. 

1.3.4  Legal  Issues 

Legal  counsel  must  be  consulted  before  deploying  technologies  that  could  affect  the  privacy  and 
legal  rights  of  an  employee.  Any  solution  that  monitors  employee  behavior,  such  as  content  filter¬ 
ing  and  email  monitoring,  must  be  evaluated  by  legal  counsel  before  being  implemented.  This 
will  allow  the  organization  to  identify  any  legal  exposures  these  technologies  create  and  imple¬ 
ment  appropriate  mitigating  controls  to  reduce  the  risk.  Additionally,  all  the  software  licensing 
agreements  should  be  reviewed  before  deploying  or  testing  a  solution.  Some  licensing  agreements 
for  free  and  closed  source  software  prevent  use  in  certain  types  of  environments,  such  as  using  a 
tool  for  commercial  purposes.  In  general,  it  is  always  a  good  idea  to  involve  the  legal  team  before 
implementing  any  new  initiative. 

The  tools  listed  in  this  document  are  examples  of  products  that  can  be  used  to  jump  start  an  in¬ 
sider  threat  program.  The  list  is  not  exhaustive.  CERT  does  not  endorse  or  recommend  products 
nor  determine  their  suitability  for  use  in  any  environment.  Unless  otherwise  noted  in  this  docu¬ 
ment,  the  software  packages  were  not  tested  in  a  lab  and  information  collected  about  a  product  for 
this  report  was  derived  from  publicly  available  information. 

1 .3.5  Country  of  Origin 

One  risk  that  can  be  easily  overlooked  with  implementing  a  new  technology  is  where  the  software 
application  was  developed.  Countries  that  do  not  have  good  political  or  economic  relations  with 
the  United  States  present  risks.  A  software  package  may  look  appealing  and  have  all  of  the  fea¬ 
tures  an  organization  needs,  but  you  must  understand  the  underlying  risks  of  using  that  applica¬ 
tion.  While  this  applies  to  software  developed  in  foreign  countries,  software  developed  in  an  or¬ 
ganization’s  native  country  can  also  pose  risks.  Some  items  to  consider  before  implementing 
software  include  the  following: 

•  What  is  the  country  of  origin? 

•  Who  are  the  developers? 

•  What  type  of  support  is  available? 

•  What  privileges  are  required  on  a  system  in  order  for  it  to  function? 

•  What  communication  channels  are  observed  when  the  software  is  functioning? 

•  What  types  of  data  are  flowing  within  a  given  enclave,  and  does  any  sensitive  data  flow  out 
of  that  enclave  when  the  software  is  in  use? 

•  Does  the  software  present  additional  risks  for  data  exfiltration  and  sabotage? 
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1.4  Disclaimer 


The  tools  listed  in  this  document  are  examples  of  products  that  can  be  used  to  jump  start  an  in¬ 
sider  threat  program.  The  list  is  not  exhaustive.  CERT  does  not  endorse  or  recommend  these  prod¬ 
ucts  specifically  nor  determine  their  suitability  for  use  in  any  environment.  Unless  otherwise 
noted  in  this  document,  the  software  packages  were  not  tested  in  a  lab  and  information  collected 
about  a  product  for  this  report  was  derived  from  publicly  available  information. 
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2  User  Activity  Monitoring 


User  activity  monitoring  involves  a  broad  range  of  tools.  According  to  The  National  Insider 
Threat  Task  Force,  the  Committee  on  National  Security  Systems  (CNSS)  Directive  Number  504 
states  that  UAM  is  “the  technical  capability  to  observe  and  record  the  actions  and  activities  of  an 
individual,  at  any  time,  on  any  device  accessing  U.S.  Government  information  in  order  to  detect 
insider  threats  and  to  support  authorized  investigations.”  The  same  directive  further  states,  “Each 
department/agency  must  have  the  following  minimum  capabilities  to  collect  user  activity  data: 
key  stroke  monitoring  and  full  application  content  (e.g.,  email,  chat,  data  import,  data  export),  ob¬ 
tain  screen  captures,  and  perform  file  shadowing  for  all  lawful  purposes.  UAM  data  must  be  at¬ 
tributable  to  a  specific  user.  The  department/agency  should  incorporate  this  data  into  an  analysis 
system  capable  of  identifying  anomalous  behavior. . [1]. 

Non-government  organizations  may  wish  to  adopt  the  above  definition  and  requirement  after  con¬ 
sulting  with  legal  counsel  and  establishing  the  organization’s  tolerance  for  risk.  UAM  tool  capa¬ 
bilities  range  from  capturing  the  content  of  email  messages  and  chats  to  full  screen  and  keyboard 
capture.  These  tools  may  focus  on  one  particular  monitoring  capability  or  offer  a  suite  of  monitor¬ 
ing  capabilities.  There  are  several  monitoring  strategies  that  could  be  implemented  to  allow  for 
the  collection  of  data  in  support  of  the  minimum  capabilities,  described  below. 

Client  level:  An  application  is  installed  on  the  client  side  to  collect  data.  The  client  application 
may  report  the  data  back  to  a  centralized  collector  for  reporting  and  analysis.  Client  side  applica¬ 
tions  may  allow  for  the  collection  of  data  that  could  not  otherwise  be  collected  using  the  operating 
system’s  or  monitored  application’s  built-in  settings  or  tools.  However,  client  side  monitoring 
may  be  susceptible  to  circumvention  and  detection  by  the  end  user. 

Server  level:  Software  or  settings  enabled  on  a  server  that  allow  the  collection  of  data  in  support 
of  the  minimum  capabilities.  Typically,  software  installed  on  a  client  interacts  with  a  server  to 
function.  Examples  include  enterprise  chat  and  email.  Server-side  software  may  use  the  hosted  ap¬ 
plication’s  built-in  tools  or  have  supplemental  applications  installed  to  capture  user  activity. 

Network  level:  Infrastructure  devices  such  as  proxies,  firewalls,  and  content  filtering  systems  may 
be  capable  of  collecting  data  to  support  the  monitoring  of  user  activities.  Other  devices  may  need 
to  be  installed  at  key  ingress/egress  points  to  collect  additional  information  that  installed  infra¬ 
structure  devices  cannot. 
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Table  1  illustrates  the  minimum  UAM  capabilities  and  the  monitoring  strategies  that  may  support 
the  collection  of  this  data.  It  should  be  noted  that  capabilities  with  the  “X*”  designation  will  be 
less  effective  due  to  encryption  of  any  data  that  is  in  motion  across  the  network. 

Table  1:  Minimum  UAM  Capabilities  and  Monitoring  Points 


#  ^  %  if  Client 

Server 

Network 

Key  strokes 

X 

Content  of  chat 

X 

X 

X* 

Content  of  files  and  documents 

X 

X 

X* 

Screen  capture  of  display 

X 

Video  capture  of  display  activities 

X 

Capture  of  file  versions  as  they  are  edited 

X 

X 

Web  browser  activity 

X 

X* 

Clipboard  (copy,  cut,  and  paste)  activity 

X 

Files  accessed 

X 

X 

Kernel  processes 

X 

Applications  executed  by  user 

X 

USB  port  activity 

X 

Removable  media  activity 

X 

Email  content 

X 

X 

X* 

2.1  Open  Source  HIDS  SECurity  (OSSEC) 

Open  Source  HIDS  SECurity  (OSSEC)  is  a  host-based  intrusion  detection  system  (HIDS).  It  is 
capable  of  monitoring  changes  to  systems,  such  as  changes  to  critical  files  or  operating  system 
configurations.  It  can  be  used  on  a  variety  of  operating  systems,  including  Microsoft  Windows 
and  Linux  [5]. 

OSSEC  can  be  used  as  a  standalone  package  but  is  more  easily  managed  in  client-server  deploy¬ 
ment  models.  The  software  can  be  configured  to  monitor  many  aspects  of  a  computer  system. 
OSSEC  is  capable  of  monitoring  processes  and  files. 

Event  logs  and  other  files  can  be  monitored  for  specific  events  or  changes.  Changes  to  the  Mi¬ 
crosoft  Windows  Registry  can  also  be  monitored.  The  Windows  Registry  contains  a  wealth  of  in¬ 
formation  that  can  be  beneficial  to  the  InTP.  For  example,  OSSEC  can  be  used  to  monitor  when  a 
new  USB  device  is  introduced  to  the  system  [6].  Note  that  if  a  USB  device  was  previously  con¬ 
nected  to  the  computer  being  monitored,  it  may  not  be  detected  because  registry  values  may  not 
be  created  or  updated.  It  is  possible  to  remove  the  sub-keys  of  the  USBSTOR  registry  hive  by  us¬ 
ing  a  tool  from  Nirsoft  known  as  “USBDeview;”  however,  before  doing  so,  it  should  be  tested  on 
a  non-production  system  [7]. 
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2.2  Security  Onion 


Security  Onion  is  a  collection  of  tools  combined  into  one  Linux  distribution  that  makes  imple¬ 
menting  monitoring  of  network  traffic,  through  the  use  of  intrusion  detection  systems,  and  log 
collection  more  manageable  for  organizations.  Security  Onion  can  be  deployed  quickly  using  its 
built-in  setup  wizard.  Security  Onion  is  also  scalable;  multiple  sensors  can  be  deployed  and  cen¬ 
trally  managed.  More  information  about  Security  Onion  can  be  found  at  https://security-onion- 
solutions.github.io/security-onion/ 

2.3  Squid  Proxy  Server  and  Dansguardian 

Squid  proxy  server  is  a  software  package  that  can  be  used  to  optimize  the  delivery  of  web  content, 
which  can  help  reduce  bandwidth  and  provide  additional  features,  such  as  logging  [8].  Dansguard¬ 
ian  works  in  conjunction  with  Squid  proxy  to  provide  content  filtering.  It  can  filer  not  only  by  IP 
address  or  URL  but  also  by  phrase  matching.  Both  of  these  tools  work  together  to  produce  logs 
that  allow  you  to  monitor  user  activity  within  an  organization.  Squid  proxy  can  be  found  at 
http://www.squid-cache.org/  and  Dansguardian  can  be  found  at  http://dansguardian.org/ 

2.4  Intrusion  Detection  Systems 

There  are  a  number  of  intrusion  detection  systems  (IDS)  that  can  used  to  monitor  for  various 
types  of  traffic  or  communications  at  key  network  perimeter  ingress/egress  points.  For  example, 
an  IDS  could  be  placed  at  the  perimeter  of  a  critical  server  enclave  to  monitor  for  specific  types  of 
attacks.  These  devices  can  be  configured  using  rules  developed  by  the  organization’s  information 
security  team,  with  the  InTP  providing  guidance  about  the  types  of  scenarios  they  should  consider 
monitoring. 

Some  examples  of  IDS  software  that  are  freely  available  include 

•  BroIDS,  available  at  https://www.bro.org/ 

•  Security  Onion,  available  at  https://security-onion-solutions.github.io/security-onion/ 

•  Snort,  available  at  https://www.snort.org/ 

•  Suricata  IDS,  available  at  http://suricata-ids.org/ 

2.5  Packet  Capture 

Organizations  may  need  to  capture  and  log  all  network  activity  to  help  assist  in  incident  response. 
However,  full  packet  capture  comes  with  a  cost.  An  organization  needs  to  determine  where  to  po¬ 
sition  the  device(s)  and  how  much  data  they  need  to  keep.  The  amount  of  data  flow  that  passes 
through  the  sensor  and  is  captured  will  determine  the  storage  requirements  as  well.  Hardware  that 
is  capable  of  capturing  and  storing  the  packets  at  a  sufficient  speed  will  also  be  needed.  Having 
network  data  available  can  help  an  organization  determine  what  events,  at  a  network  level,  con¬ 
tributed  to  a  security  incident.  A  side  benefit  of  a  packet  capture  device  is  the  ability  to  help  assist 
network  engineers  with  troubleshooting.  Many  IDS  devices  offer  the  ability  to  capture  packets 
when  a  rule  is  triggered.  This  can  help  when  an  incident  is  being  investigated. 
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Some  examples  of  packet  capture  tools  are  described  below. 

•  Tcpdump  is  a  Linux  utility  that  can  capture  and  analyze  network  traffic  [9].  Tcpdump  could 
be  placed  onto  an  appropriately  sized  server  to  monitor  and  collect  network  activity.  More 
about  tcpdump  can  be  found  at  http://www.tcpdump.org/ 

•  NetworkMiner  is  a  Microsoft  Windows-based  application  that  can  be  used  to  capture  and  an 
alyze  network  traffic  using  a  GUI  to  make  analysis  easier  for  the  analyst.  More  information 
about  NetworkMiner  can  be  found  at  http://www.netresec.com/?page=NetworkMiner 

•  Wireshark  is  a  packet  capture  and  analysis  tool  designed  for  both  Microsoft  Windows  and 
Linux.  It  offers  a  visual  interface  to  help  visualize  packet  data  [10].  More  about  Wireshark 
can  be  found  at  https://www.wireshark.org/ 
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3  Data  Loss  Prevention 


Data  loss  prevention  (DLP)  technologies  generally  protect  data  from  leaving  systems  through  un¬ 
authorized  channels.  When  considering  DLP  technologies  for  use  in  an  environment,  you  must 
consider  the  three  types  of  data  the  system  will  be  monitoring  and  protecting:  data  at  rest,  data  in 
motion,  and  data  in  use. 

Data  at  rest  refers  to  data  in  storage  awaiting  use.  Typically,  data  at  rest  refers  to  data  stored  on 
hard  disk  drives  (HDD),  solid  state  drives  (SSD),  removable  media,  or  backup  media,  such  as 
tapes.  One  of  the  more  common  ways  to  protect  data  at  rest  is  through  the  use  of  encryption.  Or¬ 
ganizations  may  designate  the  use  of  encryption  for  certain  types  of  data.  For  example,  personally 
identifiable  information  (PII)  or  protected  health  information  (PHI)  may  require  the  use  of  encryp¬ 
tion  depending  on  where  it  is  stored.  If  the  data  leaves  one  storage  location  and  is  later  stored  at 
another  location,  such  as  data  leaving  a  server  for  storage  on  removable  media,  the  DLP  solution 
may  mandate  the  use  of  encryption  on  the  removable  media.  The  DLP  solution  may  also  check  to 
verify  that  the  media  being  used  to  store  the  data  is  authorized.  For  example,  DLP  solutions  may 
enforce  the  use  of  particular  USB  flash  drives  with  certain  serial  numbers  or  from  specific  manu¬ 
facturers. 

Data  in  motion  is  data  flowing  on  the  organization’s  networks.  DLP  systems  for  data  in  motion 
may  include  combinations  of  hardware  and  software  sensors  at  critical  enclave  ingress/egress 
points.  For  example,  sensors  may  be  deployed  in  front  of  servers  that  contain  critical  data  assets, 
or  between  two  network  segments  with  different  levels  of  trust.  As  data  leaves  or  enters  the  en¬ 
clave  it  is  checked  to  ensure  it  complies  with  the  organization’s  information  security  policies. 

Data  in  use  can  be  thought  of  as  data  that  is  being  manipulated  by  a  system  or  end  user.  It  can  also 
include  the  creation,  modification,  or  deletion  of  data  on  an  endpoint,  such  as  a  workstation  or 
mobile  device. 

The  most  common  type  of  DLP  system  the  Insider  Threat  Center  at  CERT  sees  involves  systems 
deployed  to  prevent  data  exfiltration  through  the  use  of  removable  media,  such  as  USB  flash 
drives  and  other  similar  devices. 

The  Computer  Security  Handbook  states  that 

“Organizations  must  understand  not  only  their  physical  assets,  but  also  their  information  as¬ 
sets  and  where  they  keep  their  most  valuable  and  sensitive  information  and  equipment.  Phys¬ 
ical  assets,  such  as  servers  and  workstations,  are  more  easily  tracked  and  protected.  Data 
may  be  more  difficult  to  track,  but  to  protect  it,  organizations  must  understand  the  types  of 
data  they  process,  where  they  process  it,  and  where  they  store  it”  [11]. 

This  can  be  difficult  for  organizations  to  manage.  The  Insider  Threat  Center  has  seen  organiza¬ 
tions  in  the  financial  sector  that  give  employees  tools  to  scan  their  local  workstations  for  sensitive 
data  so  that  they  may  properly  secure  it,  either  by  moving  it  to  approved  storage  or  by  securely 
deleting  the  data.  It  is  important  for  organizations  to  know  where  their  most  sensitive  data  resides 
so  that  they  can  best  protect  it. 
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3.1  OpenDLP 


OpenDLP  is  a  client/server-based  tool  that  can  scan  endpoints  for  sensitive  data.  The  client  por¬ 
tion  of  the  application  is  a  service  that  resides  on  user  workstations  that  scans  the  workstation 
based  on  settings  pushed  to  it  from  the  OpenDLP  server.  The  OpenDLP  server  manages  the  re¬ 
sults  of  the  scans.  OpenDLP  also  has  the  ability  to  scan  Microsoft  SQL  Server  and  MySQL  data¬ 
bases  for  sensitive  information.  It  should  be  noted  that  OpenDLP  does  not  prevent  data  loss  but 
instead  identifies  where  sensitive  data  lives  within  your  organization.  More  information  about 
OpenDLP  can  be  found  at  https://github.com/ezarko/opendlp 

3.2  MyDLP 

MyDLP  is  a  data  loss  prevention  solution  that  has  both  a  free  community  edition  and  a  paid  enter¬ 
prise  edition.  The  community  edition  has  a  limited  feature  set,  while  the  enterprise  version  in¬ 
cludes  additional  features  and  commercial  support.  The  MyDLP  website,  http://www.mydlp.com, 
lacks  information  comparing  the  two  versions;  however,  the  Internet  Archive  has  a  version  of 
their  website  with  comparative  information.  This  comparison  may  not  be  accurate  today,  but  it 
does  provide  an  idea  of  the  features  the  software  offers.  An  archived  version  of  the  website  can  be 
found  at  the  Internet  Archive  at 

https://web.archive.org/web/20131201 103303/http://www. mydlp.com/features/ 

While  there  are  few  open  source  tools  in  the  DLP  tool  space,  the  tools  available  can  be  leveraged 
to  help  an  organization  identify  and  protect  their  sensitive  information  while  initially  establishing 
their  insider  threat  program. 
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4  Security  Information  and  Event  Management  (SIEM) 


Security  information  and  event  management  systems  can  be  one  of  the  most  important  compo¬ 
nents  of  an  insider  threat  program.  These  systems  receive  log  information  from  various  devices 
across  the  enterprise.  Many  products  aimed  primarily  at  log  collection  can  be  configured  to  have 
SIEM-like  functionality,  or  they  can  offer  it  via  add-on  products  or  licenses.  Absent  a  full-fledged 
solution,  alerting  on  configured  log  queries  can  fulfill  some  requirements  of  a  SIEM.  Insider 
threat  programs  typically  have  access  to  the  enterprise  SIEM.  However,  since  the  InTP  mission 
differs  from  the  typical  network  operations  and  security  mission,  the  InTP  typically  creates  and 
utilizes  its  own  specific  rule  sets. 

Figure  1  illustrates  the  vast  amount  of  data  that  an  insider  threat  program  should  analyze.2  A 
SIEM  can  help  insider  threat  programs  by  consolidating  logs  into  a  central  location  and  automati¬ 
cally  prioritizing  events,  making  those  with  a  higher  priority  more  visible  to  an  analyst  for  action. 


Figure  1  was  originally  developed  for  the  CERT  course  Insider  Threat  Program  Manager  Certificate:  Implemen¬ 
tation  and  Operations,  Module  9:  Building  and  Managing  the  Insider  Threat  Flub,  2014-2016. 
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Figure  1:  Data  Sources 


A  SIEM  should  have  an  easy-to-use  interface  and  be  highly  configurable  for  both  the  organization 
and  the  analyst.  AlienVault  states  that 


Logs  are  valueless  unless  subjected  to  regular  and  random  review,  with  follow-up  if 
anomalies  are  detected.  It  is  unrealistic  to  expect  an  individual  to  pore  over  voluminous  log 
files  on  a  daily  basis.  However,  log  aggregation  and  correlation  technology  can  be  employed 
to  provide  an  additional  layer  of  confidence  as  anomalous  activity  across  systems  can  be 
related — potentially  identifying  an  attack  pattern  or  other  irregular  activity  that  would  not 
be  apparent  from  a  single  log  [12]. 


It  is  not  enough  to  simply  install  a  SIEM  and  have  logs  sent  to  it.  A  typical  SIEM  may  process 
hundreds  to  hundreds  of  thousands  of  events  per  second.  With  such  a  large  volume  of  data,  the 
SIEM  rules  must  be  finely  tuned  and  the  system  configured  appropriately  to  help  determine  which 
events  are  important  to  both  the  InTP  and  the  organization’s  mission.  The  SIEM  will  process  the 
events,  categorizing  and  correlating  them  according  to  those  specific  rules.  It  may  also  be  config¬ 
ured  to  email  high  priority  alerts  to  insider  threat  program  staff.  InTP  staff  should  have  the  ability, 
via  dashboards  or  other  means,  to  review  and  explore  all  events  captured  by  the  SIEM. 
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4.1  OSSIM 


OSSIM  by  AlienVault  provides  event  collection,  normalization,  and  correlation  [13].  AlienVault 
also  offers  a  commercial  version  of  this  product  with  more  features,  such  as  allowing  multiple  us¬ 
ers  with  role-based  access  control  (RBAC),  tiered  architecture,  and  customizable  reports.  A  com¬ 
parison  of  the  open  source  and  commercial  product  can  be  found  at 
https://www.alienvault.com/products/compare-ossim-to-alienvault-usm 

4.2  LOGalyze 

LOGalyze  is  a  SIEM  that  is  free  to  download.  While  not  open  source,  it  is  free  to  use  in  an  enter¬ 
prise  environment.  The  software  has  the  ability  to  ingest  various  log  sources,  such  as  files,  SNMP, 
and  other  system  logs.  The  tool  can  export  reports  to  a  variety  of  formats  and  can  generate  alerts 
when  one  or  more  events  meets  certain  user-defined  criteria.  Additionally,  the  tool  comes  pre¬ 
configured  with  some  compliance  reports,  including  HIPAA,  PCI-DSS,  and  Sarbanes  Oxley. 

More  about  LOGalyze,  including  how  to  download  and  install  it,  can  be  found  at 
http://www.logalyze.com/ 

4.3  Enterprise  Log  Search  and  Archive  (ELSA) 

ELSA  is  a  free  and  open  source  log  aggregation  and  search  tool.  It  will  ingest  logs  from  most 
common  sources,  normalize  them,  and  provide  the  user  with  a  searchable  database.  ELSA  pro¬ 
vides  a  custom  query  capability,  and  any  query  can  be  saved  as  an  alert.  While  ELSA  does  not 
have  many  “point  and  click”  reporting  capabilities  or  dashboards,  it  is  a  highly  customizable  tool 
that  can  be  configured  with  any  number  of  particular  searches  or  alerts.  It  is  also  worth  noting  that 
the  aforementioned  Security  Onion  tool  suite  also  includes  ELSA.  More  information,  and  the  soft¬ 
ware  itself,  can  be  found  at  https://github.com/mcholste/elsa 

4.4  The  Elastic  Stack 

Formerly  referred  to  as  Elasticsearch,  Logstash,  and  Kibana  (ELK),  the  Elastic  Stack  is  another 
open  source  tool  suite  that  provides  log  aggregation  and  reporting,  and  it  also  offers  a  subscription 
service  for  technical  support.  Much  like  ELSA,  the  Elastic  Stack  can  ingest  most  common  logging 
sources  and  provide  a  configurable  platform  for  searches,  alerts,  and  visualization.  More  infor¬ 
mation  about  the  Elastic  Stack,  including  how  to  download  it,  can  be  found  at 
https://www.elastic.co/ 
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5  Analytics 


Analytics  allow  the  insider  threat  team  to  discreetly  identify  anomalies  and  analyze  potential  in¬ 
sider  threat  activity.3  The  InTP  collects  a  tremendous  amount  of  data,  often  by  a  SIEM.  Once  data 
is  in  a  repository,  it  must  be  analyzed  in  order  to  be  of  use  to  the  InTP.  This  capability  belongs 
with  the  InTP  hub.  The  insider  threat  hub  is  a  centralized  capability  for  insider  threat  analysis  and 
response.  Some  of  the  capabilities  of  the  hub  include 

•  collecting,  correlating,  and  aggregating  data  from  disparate  sources 

•  developing,  deploying,  and  refining  indicators  of  potential  insider  activity 

•  evaluating  detected  instances  of  potential  insider  activity 

•  providing  supporting  information  to  incident  investigators  and  responders 

It  should  be  noted  that  the  InTP  hub  is  not  a  specific  tool;  it  is  a  collection  of  tools  and  capabilities 
that  support  the  InTP.  The  hub  helps  to  paint  a  picture  of  the  “whole  person.”  That  is,  no  one  indi¬ 
cator  can  identify  a  potential  malicious  insider.  It  takes  multiple  indicators  to  help  establish 
whether  or  not  a  person  should  be  of  interest  to  the  InTP. 

Figure  1  depicts  all  of  the  data  sources  that  should  feed  into  the  InTP  hub.  This  data  may  be  scat¬ 
tered  across  the  enterprise.  Ultimately,  this  data  should  be  centrally  collected  and  maintained. 
However,  laws,  regulations,  and  organizational  policies  dictate  how  this  information  is  collected 
and  managed.  The  InTP  needs  access  to  these  data  sources  to  help  paint  a  more  complete  picture 
of  an  individual  and  understand  all  aspects  of  the  inquiry. 

To  jump  start  an  InTP,  the  organization  must  identify  the  types  of  scenarios  that  it  wants  to  defend 
against,  starting  small  and  growing  the  program  once  it  has  perfected  a  few  capabilities.  Once  the 
organization  has  selected  scenarios,  the  organization  needs  to  determine  what  data  feeds  would 
allow  them  to  prevent,  detect,  and  respond  to  the  identified  scenario.  The  data  feeds  will  then  need 
to  be  examined  to  determine  if  they  contain  sufficient  information  to  help  support  the  identifica¬ 
tion  of  malicious  insider  activity.  In  some  cases,  the  data  feed  may  be  insufficient  and  additional 
fine  tuning  may  be  needed.  For  example,  certain  account  actions  may  be  missing  from  a  log,  but 
can  be  made  available  easily  by  adjusting  account  audit  policies.  Once  the  organization  is  able  to 
identify  malicious  insiders  given  the  selected  cases,  the  organization  can  then  build  upon  this  ca¬ 
pability  by  selecting  additional  scenarios  it  wants  to  include  in  the  InTP. 

Analytic  tools  that  are  part  of  insider  threat  programs  fall  into  two  categories: 

1.  Machine  learning,  as  defined  by  Arthur  Samuel,  is  a  “field  of  study  that  gives  computers  the 
ability  to  learn  without  being  explicitly  programmed”  [14]. 

2.  Predictive  analytics,  as  described  by  the  Machine  Feaming  Group  at  the  University  of  Wai¬ 
kato,  is  “a  set  of  business  intelligence  (BI)  technologies  that  uncovers  relationships  and  pat¬ 
terns  within  large  volumes  of  data  that  can  be  used  to  predict  behavior  and  events.  Unlike  other 


The  information  is  this  section  is  excerpted  from  the  CERT  course  Insider  Threat  Program  Manager  Certificate: 
Implementation  and  Operations,  Module  9:  Building  and  Managing  the  Insider  Threat  Hub,  2014-2016. 
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BI  technologies,  predictive  analytics  is  forward-looking,  using  past  events  to  anticipate  the  fu¬ 
ture”  [15]. 

In  many  cases,  these  tools  are  combined  to  monitor  the  vast  amounts  of  data  the  InTP  collects. 
The  assistance  of  these  tools  is  required  to  sift  through  the  data  to  identify  patterns. 

The  two  tools  that  follow  can  help  the  InTP  hub  analyze  the  data  it  receives.  These  tools  may  re¬ 
quire  expertise  from  people  across  the  organization  in  order  to  be  integrated. 

5.1  Weka 

Weka  is  a  tool  that  can  be  used  to  analyze  large  data  sets  using  machine  learning  [16].  Machine 
learning  can  be  applied  to  large  data  sets  to  identify  patterns  of  activity  that  may  be  of  interest  to 
an  InTP.  More  information  about  Weka  can  be  found  at  http://www.cs.waikato.ac.nz/ml/weka/ 

5.2  RapidMiner 

RapidMiner  is  a  predictive  analytics  tool  designed  to  help  organizations  predict  events.  The  tool 
can  be  used  to  analyze  events  to  help  the  end  user  make  more  informed  decisions  about  events 
that  may  occur.  This  could  be  beneficial  to  InTPs  by  allowing  them  to  identify  people  of  interest 
before  they  become  malicious  insiders.  More  information  about  the  tool  can  be  found  at 
https  ://rapidminer.  com/ 
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6  Digital  Forensics  and  Investigations 


A  key  part  of  any  successful  insider  threat  program  is  the  ability  to  conduct  a  sound  forensic  ex¬ 
amination  of  digital  evidence.  Malicious  insiders  use  technology  to  carry  out  their  crimes,  and  ev¬ 
idence  of  these  crimes  can  be  found  on  the  systems  they  use.  However,  preserving,  recovering, 
analyzing,  and  reporting  this  evidence  is  the  biggest  challenge  many  organizations  face.  The  costs 
of  commercial  tools  for  conducting  a  digital  forensic  investigation  can  be  significant. 

It  is  also  important  to  note  that  an  untrained  individual  can  create  a  liability  to  an  organization  at¬ 
tempting  to  conduct  an  investigation.  Valuable  evidence  could  be  lost  forever,  exculpatory  evi¬ 
dence  could  be  missed,  and  data  could  be  misinterpreted.  This  creates  a  risk  to  the  organization  by 
exposing  it  to  lawsuits  and  can  undermine  the  legal  process.  Therefore,  before  deciding  to  imple¬ 
ment  a  digital  forensics  capability  within  an  organization,  careful  consideration  must  be  given  to 
the  organization’s  risk  tolerance,  existing  capabilities,  and  the  digital  forensics  knowledge  of  cur¬ 
rent  staff.  An  individual  with  deep  technical  knowledge,  such  as  a  systems  or  network  administra¬ 
tor,  may  be  good  at  their  job,  but  that  does  not  make  them  an  investigator  without  the  proper  train¬ 
ing  and  experience.  Management  should  work  with  their  organization’s  legal  counsel  when 
developing  a  digital  forensics  capability. 

Senior  leadership  must  also  understand  the  other  costs  associated  with  a  digital  investigation  capa¬ 
bility,  such  as 

•  specialized  hardware  (e.g.,  write  blockers,  storage,  forensic  workstations,  servers) 

•  software  licensing  and  annual  maintenance  renewals 

•  evidence  storage  facilities 

•  annual  training  for  staff 

It  may  be  more  beneficial  and  cost  effective  to  outsource  a  digital  investigation  than  to  implement 
the  capability  at  a  particular  organization. 

Careful  consideration  must  be  used  when  deploying  a  tool  to  aide  in  a  digital  investigations.  A 
tool  should  be  tested  in  a  controlled  environment  so  that  it  can  be  repeatable  and  reproducible. 

The  National  Institute  of  Standards  and  Technology  provides  the  following  related  definitions: 

•  repeatability:  precision  under  repeatability  conditions 

•  repeatability  conditions:  conditions  where  independent  test  results  are  obtained  with  the 
same  method  on  identical  test  items  in  the  same  laboratory  by  the  same  operator  using  the 
same  equipment  within  short  intervals  of  time 

•  reproducibility:  precision  under  reproducibility  conditions 

•  reproducibility  conditions:  conditions  where  test  results  are  obtained  with  the  same  method 
on  identical  test  items  in  different  laboratories  with  different  operators  using  different  equip¬ 
ment 
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As  applied  to  computer  forensic  testing,  repeatability  is  defined  as  the  ability  to  get  the  same 
test  results  on  the  same  testing  environment  (i.e.,  the  same  computer,  disk,  mode  of  opera¬ 
tion,  and  so  forth).  Reproducibility  is  defined  as  the  ability  to  get  the  same  test  results  on  a 
different  testing  environment  (i.e.,  a  different  PC,  hard  disk,  operator,  and  so  forth)  [17]. 

It  is  important  to  note  that  courts  do  not  approve  digital  forensics  tools.  This  term  is  often  con¬ 
fused  with  “court  accepted.”  According  to  the  Frye  Standard,  “Forensic  tools,  techniques,  proce¬ 
dures,  and  evidence  are  admissible  in  court  if  they  have  a  ‘general  acceptance’  in  the  scientific 
community”  [18].  Any  tool,  whether  open  source  or  closed  source,  must  undergo  testing  to  ensure 
it  is  able  to  produce  accurate,  reliable,  repeatable,  and  reproducible  results.  When  introducing  a 
tool  or  technique  to  their  investigations,  digital  investigators  should  keep  the  Daubert  standard  in 
mind,  which  is  defined  as  a 

Standard  used  by  a  trial  judge  to  make  a  preliminary  assessment  of  whether  an  expert’s  sci¬ 
entific  testimony  is  based  on  reasoning  or  methodology  that  is  scientifically  valid  and  can 
properly  be  applied  to  the  facts  at  issue.  Under  this  standard,  the  factors  that  may  be  consid¬ 
ered  in  determining  whether  the  methodology  is  valid  are:  (1)  whether  the  theory  or  tech¬ 
nique  in  question  can  be  and  has  been  tested;  (2)  whether  it  has  been  subjected  to  peer  re¬ 
view  and  publication;  (3)  its  known  or  potential  error  rate;  (4)  the  existence  and  maintenance 
of  standards  controlling  its  operation;  and  (5)  whether  it  has  attracted  widespread  acceptance 
within  a  relevant  scientific  community  [19]. 

Before  using  any  forensic  tool  or  technique,  consult  with  legal  counsel  to  ensure  that  it  will  with¬ 
stand  legal  scrutiny  and  is  acceptable  to  use. 

6.1  FTK  Imager 

FTK  Imager  is  a  tool  used  by  incident  first  responders  to  preserve  evidence  before  it  is  destroyed. 
While  it  is  not  an  open  source  tool,  it  is  available  free  from  AccessData.  FTK  Imager  should  not 
be  confused  with  AccessData’s  Forensic  Toolkit  (FTK).  FTK  Imager  is  for  acquiring  evidence 
that  will  preserve  the  data  in  a  manner  that  meets  evidence  admissibility  requirements.  FTK  Im¬ 
ager  is  not  for  conducting  in-depth  forensic  examinations. 

FTK  Imager  allows  you  to  preview  data  on  a  device  and  make  a  forensically  sound  image  of  the 
evidence  without  making  changes  to  the  device  being  imaged  [20].  FTK  Imager  should  be  used  in 
conjunction  with  a  hardware  write-blocking  device  to  prevent  inadvertent  changes  to  evidence.  The 
write-blocking  device  will  prevent  data  from  being  written  to  the  device  connected  to  it  for  imaging 
and  analysis.  It  is  important  to  note  that  solid  state  drives  (SSDs)  present  new  challenges  to  the 
forensics  community,  such  as  garbage  collection  and  wear  leveling,  which  may  cause  hash  values 
not  to  match.  Further  discussion  of  this  technology  is  outside  the  scope  of  this  paper,  however.  FTK 
Imager  can  be  obtained  from  http://accessdata.com/product-download7/support/product-downloads 

Once  a  forensic  image  of  a  subject’s  computer  or  storage  media  is  obtained,  a  duplicate  copy  of 
the  image  should  be  created.  The  duplicate  image  can  then  be  examined  using  other  forensic  tools. 
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6.2  Autopsy 


Autopsy  is  a  GUI-based  software  application  that  allows  an  analyst  to  examine  various  types  of 
evidence  that  may  be  involved  in  an  incident.  Additional  plugins  can  be  developed  to  enhance 
Autopsy’s  capabilities  [21]. 

Autopsy  has  many  of  the  same  features  as  some  of  the  commercial  digital  forensics  packages, 
such  as  AccessData’s  Forensic  Toolkit  (FTK)  and  Guidance  Software’s  EnCase  Forensic.  A  new 
feature  available  in  Autopsy  is  the  ability  for  multiple  people  to  collaborate  on  a  case  at  one  time. 

Autopsy  is  a  powerful  tool  that  can  be  used  by  organizations  to  investigate  incidents.  It  has  a  ro¬ 
bust  feature  set  that  can  be  used  to  examine  evidence  collected  to  help  determine  the  cause  of  an 
incident  and  possibly  what  the  subject  did.  Autopsy  can  be  downloaded  from  http://www. sleuth- 
kit,  or  g/autopsy/ 

6.3  Volatility 

Volatility  is  a  framework  for  analyzing  memory  captures  from  a  computer  system.  Memory  cap¬ 
tured  from  a  computer  system  can  be  used  to  help  further  an  investigation.  For  example,  memory 
may  contain  information  about  the  processes  that  were  executing  on  a  system.  If  data  encryption 
is  in  use  on  the  system,  the  encryption  keys  may  be  found  in  memory.  This  information  can  be 
used  to  help  paint  a  picture  of  what  a  subject  may  be  doing  should  they  be  suspected  of  malicious 
insider  activity.  More  information  about  Volatility  can  be  found  at  http://www.volatilityfounda- 
tion.org/ 

6.4  SANS  Investigative  Forensic  Toolkit  (SIFT) 

The  SIFT  workstation  is  a  compilation  of  free  and  open  source  forensics  tools  contained  within  a 
Finux  virtual  appliance.  The  toolkit  is  preconfigured  and  ready  to  use  as  a  virtual  appliance,  or  it 
can  be  manually  built  on  top  of  an  Ubuntu  machine  using  scripts  to  compile  and  build  the  work¬ 
station. 

The  SIFT  workstation  contains  a  variety  of  tools  that  can  be  used  to  conduct  an  investigation  or 
respond  to  an  incident.  A  complete  investigation  can  be  conducted  with  the  tools  included  in  the 
workstation.  The  SIFT  workstation  can  be  downloaded  from  http://digital-forensics.sans.org/com- 
munity/downloads#locations 

6.5  CERT  Forensics  Tools 

CERT  offers  an  extensive  set  of  forensics  tools  to  help  investigators.  The  SEI  states  that  “The 
CERT  Finux  Forensics  Tools  Repository  provides  many  useful  packages  for  cyber  forensics  ac¬ 
quisition  and  analysis  practitioners”  [22].  The  tool  repository  instructions  can  be  found  by  access¬ 
ing  https://forensics.cert.org/ 

Additionally,  CERT  provides  a  virtual  machine  based  appliance,  Appliance  for  Digital  Investiga¬ 
tion  and  Analysis  (ADIA),  which  enables  an  investigator  to  use  open  source  tools  to  conduct  an 
investigation. 

CERT  describes  this  appliance  as  follows: 
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ADIA  is  a  VMware -based  appliance  used  for  digital  investigation  and  acquisition  and  is  built 
entirely  from  public  domain  software.  Among  the  tools  contained  in  ADIA  are  Autopsy,  the 
Sleuth  Kit,  the  Digital  Forensics  Framework,  log2timeline,  Xplico,  and  Wireshark.  Most  of 
the  system  maintenance  uses  Webmin.  The  appliance  runs  under  Linux,  Windows,  and  Mac 
OS.  Both  i386  (32-bit)  and  x86_64  (64-bit)  versions  are  available. 

ADIA  is  available  to  the  public  and  is  designed  for  small-to-medium  sized  digital  investiga¬ 
tions  and  acquisitions.  It  provides  an  alternative  method  for  conducting  digital  investigations 
[23], 

More  information  about  ADIA  and  download  instructions  can  be  found  at 
http://www.cert.org/digital-intelligence/tools/adia.cfm 

CERT  also  offers  some  standalone  tools  that  an  investigator  can  use  to  supplement  their  investiga¬ 
tion,  described  as  follows: 

•  AfterLife  permits  the  collection  of  physical  memory  contents  from  a  system  after  a  warm  or 
cold  reboot. 

•  PINO  is  a  lightweight  front  end  for  network  visualization  and  utilizes  the  open  source  net¬ 
work  monitoring  tools  SiLK  and  SNORT  to  create  an  easy-to-use  dashboard  for  situational 
awareness. 

•  LATK  is  a  collection  of  command  line  and  web-based  tools  for  use  in  incident  response  and 
long-term  analysis  of  web  server  and  proxy  server  log  data  [24]. 

More  information  about  these  tools  and  how  to  download  them  can  be  found  at 
http://www.cert.org/digital-intelligence/tools/ 

6.6  Other  Open  Source  Linux  Distributions 

There  are  numerous  Linux  distributions  that  contain  standalone  forensic  tools,  and  some  distribu¬ 
tions  contain  complete  forensic  toolkits.  One  example  of  a  complete  Linux  distribution  is 
PALADIN,  described  as  follows: 

PALADIN  is  a  modified  “live”  Linux  distribution  based  on  Ubuntu  that  simplifies  various 
forensics  tasks  in  a  forensically  sound  manner  via  the  PALADIN  Toolbox.  PALADIN  is 
a  complete  solution  for  triage,  imaging,  examination  and  reporting  [25]. 

More  information  is  available  at  https://www.sumuri.eom/product/paladin-for-linux-2/# 
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7  Summary 


Insider  threat  programs  use  five  categories  of  tools  to  help  their  organization  prevent,  detect,  and 
respond  to  malicious  insider  activity.  These  categories  include 

1 .  user  activity  monitoring  (UAM) 

2.  data  loss  prevention  (DLP) 

3.  security  information  and  event  management  (SIEM) 

4.  analytics 

5.  digital  forensics 

Tools  from  each  of  these  categories  should  be  used  to  make  up  the  minimum  needed  to  start  an 
insider  threat  program.  These  tools  will  allow  the  organization  to  better  understand  how  employ¬ 
ees  interact  with  systems  and  data. 

User  activity  monitoring  tools  allow  organizations  to  understand  how  employees  interact  with  all 
endpoints  in  their  environment.  These  tools  monitor  how  an  employee  uses  company-owned  as¬ 
sets. 

Data  loss  prevention  tools  protect  the  organization’s  data  by  leveraging  technology  to  enforce 
where  and  how  data  is  stored  and  who  may  access  it.  Data  loss  prevention  also  enforces  the  or¬ 
ganization’s  data  classification  policies  and  may  take  action  to  prevent  data  from  being  stored  or 
transmitted  in  an  unapproved  manner. 

Security  information  and  event  management  systems  collect  and  manage  logs  from  various  de¬ 
vices  across  the  enterprise  and  help  identify  events  that  may  be  of  interest  to  the  organization. 
These  systems  help  organizations  digest  large  volumes  of  information  and  provide  alerts  on 
events  of  interest  to  the  InTP. 

Analytic  tools  leverage  the  data  in  security  information  and  event  management  systems  to  dis¬ 
cover  patterns  and  trends  in  data  that  may  be  useful  for  identifying  malicious  insider  threat  behav¬ 
ior.  Analytic  tools  help  organizations  process  large  volumes  of  information  and  assist  in  determin¬ 
ing  if  any  actionable  intelligence  is  contained  in  the  data. 

Digital  forensics  and  investigation  tools  allow  an  organization  to  respond  to  a  malicious  insider 
incident.  These  tools  help  the  organization  determine  if  and  how  an  incident  occurred.  Infor¬ 
mation  gleamed  from  these  tools  can  be  used  to  help  strengthen  the  organization’s  security  pos¬ 
ture  by  incorporating  lessons  learned  from  the  incident. 

Organizations  looking  to  start  an  insider  threat  program  may  have  limited  budgets  for  getting  the 
technical  part  of  the  program  off  the  ground.  Therefore,  organizations  should  look  to  leverage 
technology  they  already  have  by  considering  how  it  can  help  an  insider  threat  program.  If  existing 
tools  are  insufficient  and  the  organization  has  a  limited  budget,  low  cost  tools  should  be  evaluated 
to  determine  if  they  will  help  fill  gaps  in  the  InTP.  While  the  tools  may  be  low  cost,  ongoing  sup¬ 
port  and  maintenance  of  the  tools  is  another  factor  the  organization  must  consider  when  deciding 
whether  or  not  to  implement  a  particular  tool. 
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